FIELD OF THE INVENTION
The invention relates to a semiconductor storage device with a large number of storage cells, arranged on a semiconductor substrate at intersections of bit lines and word lines, which, for programming with data contents, can be driven by means of a word-line drive circuit and a bit-line drive circuit.
A semiconductor storage device of this type finds a preferred application in so-called smart cards, that is to say identity cards, credit cards, account cards and the like, which are equipped with an integrated circuit having a microprocessor. The producer of a smart card can equip the microprocessor with a permanently stored operating system which undertakes basic functions, for example procedures for comparing an externally input code with a stored code, and the like. Further to storing the operating system, the memories inside the smart card, which are assigned to the microprocessor, are also used for storing specific applications and parameters which, for example, are required for the security check and must in each case be kept secret. A smart card of this type can be employed for varied applications if, by the producer, a suitable operating system with associated programs is provided, specific suitable interfaces are provided and a memory or a storage area is reserved for one or more imported application programs. In this way, the card producer can provide the user of the smart card with a memory or storage area for programming an imported user program. In a user program, it is, for example, possible to establish special operations which run independently of the operating system and relate merely to the special data-processing operations of the user. With one smart card configuration which can be used in a particularly varied way, provision may furthermore be made for a plurality of different users to store their corresponding programs in the smart card independently of each other.
In each case, as with all security-critical data-processing systems which, for example, are used for processing data which are confidential or have monetary value, special protection must be provided against data manipulation or unauthorized data access. It must therefore be ensured that security-relevant data, which form a component of the operating system or of the individual user programs, are protected from unauthorized access. In the case of a credit card as an example of a smart card, which comprises an integrated circuit with a non-volatile memory (for example an EEPROM or a ROM) and a microprocessor, safeguarding from manipulation requires that a user program stored in the non-volatile memory does not have uncontrolled access to other user programs or operating-system routines, which are likewise held in the non-volatile memory.
The prevention of this type of access can be ensured by a security circuit for memory access supervision which has been disclosed, for example, in DE 41 15 152 A1 or U.S. Pat. No. 5,452,431.
In this regard, essentially three different measures are explained in DE 41 15 152 A1. In a first measure, the addresses, at which the user program starts in the storage area is stored in two auxiliary registers in the represented circuit, before execution of the user program stored in the EEPROM. During the program execution, continuous comparison is made between the current address-bus value and the first auxiliary register, and between the program counter value and the second auxiliary register. A first comparison is used to determine whether a user program is active. A second comparison is used to conclude whether a permissible address range for the user program is actually being employed. If a user program is active and is not operating in a permissible range, a reset signal is triggered in the microprocessor. This measure has the disadvantage that the circuit requires additional auxiliary registers and comparators for n bits, n representing the address-bus width. In a second measure, it is proposed to supervise the program counter and the address-bus value using an additionally provided monitoring processor with its own memory. As in the first measure, a reset signal is triggered if a user program accesses an unpermitted address range. This circuit has the disadvantage that an additional processor with memory is required. In a third measure, or circuit, each storage area to be protected separately has different most-significant address bits (block-select bits). Before execution of the user program stored in a PROM block, the block-select bits are stored in an auxiliary register. During the program execution, the most-significant current address-bus bits are stored continuously in a second auxiliary register and compared with the first auxiliary register. If the contents of the auxiliary registers are different, it is concluded that the active user program is addressing another program storage area in a manner which is not permitted. A reset signal is consequently triggered. This circuit has the disadvantage that, for a small number of bits (for example two bits), only a rigid and uniform relatively coarse block subdivision is possible (for example a quarter of the total memory). Furthermore, only a continuous storage area can be allocated to an imported program. The imported program with the greatest program-memory requirement therefore determines the block size for the other imported programs as well, so that the use of memory is overall unfavourable.
U.S. Pat. No. 5,452,431 discloses a security circuit for memory access supervision, in particular for application in smart cards, in which the storage area of the EEPROM is subdivided into a repertory region ZR and an application region ZA, as well as a public region ZT. The various storage areas ZR, ZA and ZP are driven separately by means of an address-control circuit, in such a way that respectively determined address ranges are assigned to the individual storage areas, and fixed address limits are predetermined. The commands for writing, reading and erasing the respective storage areas can be blocked or enabled by the address-control circuit in predetermined frameworks. The disadvantage of this circuit resides in the fact that the distribution of the memory is fixed with the production of the EEPROM and can no longer be altered by the user.